> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn how to configure Auth0 to pass the OpenID FAPI Certification Tests.
# Configure Auth0 to pass OpenID FAPI Certification Tests
This section contains some advice on how to configure your client if you would like to test your solution using the [OpenID FAPI Conformance Tests](https://openid.net/certification/certification-fapi_op_testing/).
To pass the OpenID FAPI Conformance Tests, first configure the following:
* Set the `compliance_level` property to the desired profile, either `fapi1_adv_pkj_par`, `fapi1_adv_mtls_par`, `fapi2_sp_pkj_mtls`, or `fapi2_sp_mtls_mtls`
* Either [Configure mTLS](/docs/get-started/applications/configure-mtls) (including [mTLS aliases](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-tenant#enable-mtls-aliases)) or [Configure Private Key JWT](/docs/get-started/applications/configure-private-key-jwt)
* [Configure mTLS Token Binding](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-client#enable-token-binding)
* Configure [Pushed Authorization Requests](/docs/get-started/applications/configure-par)
* Ensure the `oidc_conformant` property is set to `true` for any clients used for the test. This is the default value for clients created with the Auth0 Dashboard.
Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration:
* [Ensure Auth0 prompts users for consent](#ensure-auth0-prompts-users-for-consent)
* [Configure supported ACR claims for the tenant](#configure-supported-acr-claims-for-the-tenant)
* [Remove the alg property from JWKS endpoint](#remove-the-alg-property-from-jwks-endpoint)
* [Add Action to require scope and redirect\_uri](#add-action-to-require-scope-and-redirect-uri)
* [(FAPI2 profiles only) Ensure `iss` claim is returned in responses](#fapi2-profiles-only-ensure-iss-claim-is-returned-in-responses)
### Ensure Auth0 prompts users for consent
You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the Resource Server or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the `is_first_party` property on the client to `false`:
```bash lines theme={null}
curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/YOUR_CLIENT_ID' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"is_first_party": false
}'
```
Then, promote your connection to the domain level:
```bash lines theme={null}
curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/connections/YOUR_CONNECTION_ID' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"is_domain_connection": true
}'
```
#### Configure supported ACR claims for the tenant
The FAPI tests pass a required ACR value of `urn:mace:incommon:iap:silver`. To include the required ACR value in the ID token, add `urn:mace:incommon:iap:silver` to the list of supported ACR values for the tenant:
```bash lines theme={null}
curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"acr_values_supported": ["urn:mace:incommon:iap:silver"]
}'
```
#### Remove the alg property from JWKS endpoint
To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant's `alg` property from the output of the `/.well-known/jwks.json` endpoint:
```bash lines theme={null}
curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"flags": {
"remove_alg_from_jwks": true
}
}'
```
#### Add Action to require scope and redirect\_uri
By default, Auth0 allows requests without a scope, assuming the `openid` scope if no scope is present. Auth0 also allows requests without a `redirect_uri,` which you can set in [Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/redirect-with-actions). However, the FAPI conformance tests require Auth0 to be more restrictive.
Add the following Action to enforce the necessary restrictions on scope and `redirect_uri`:
```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
if (!event.request.body || !event.request.body.refresh_token) {
// Require a scope
if (!event.request.query.scope) {
api.access.deny('scope must be provided in the request');
}
// To improve the error message if redirect_uri is not present
if (!event.request.query.redirect_uri) {
api.access.deny('redirect_uri must be provided in the request');
}
}
};
```
#### (FAPI2 profiles only) Ensure `iss` claim is returned in responses
The FAPI 2.0 Security Profile requires that the `iss` parameter is returned in authorization responses according to [RFC9207](https://www.rfc-editor.org/info/rfc9207). For compatibility reasons, Auth0 does not do this by default. To enable this behaviour, set the `authorization_response_iss_parameter_supported` property in tenant settings to `true`.
```bash lines theme={null}
curl --location --request PATCH "https://{YOUR_DOMAIN}/api/v2/tenants/settings" \
--header "Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" \
--header "Content-Type: application/json" \
--data-raw '{
"authorization_response_iss_parameter_supported": true
}'
```
## Learn more
* [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt)
* [Configure mTLS Authentication](/docs/get-started/applications/configure-mtls)